luminosity | 321d6b3381a565dc5723f27609b7cd9534e6e547aecf1ddc412314612038586b

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20-06-2022 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

321d6b3381a565dc5723f27609b7cd9534e6e547aecf1ddc412314612038586b.exe
Size

528KB
MD5

021036ddba0dd176450dee2bf9bc78be
SHA1

480b3dd332cc50690b34bc95a787b5550e7b0b1f
SHA256

321d6b3381a565dc5723f27609b7cd9534e6e547aecf1ddc412314612038586b
SHA512

679528231ff9f2d258abfdbc26c8a7f9d92792186c7c233ec3bdce33659a4ab699034d3f147f9a7a622ea648201916961ea99a79f0e36ff065125f3c5fc22222

Score

10^/10

luminosity rat

Malware Config

Signatures

Luminosity 2 IoCs

Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

rat luminosity

description	ioc	pid	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation		321d6b3381a565dc5723f27609b7cd9534e6e547aecf1ddc412314612038586b.exe
		1716	schtasks.exe

Executes dropped EXE 2 IoCs

pid	Process
856	file.sfx.exe
3368	file.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	321d6b3381a565dc5723f27609b7cd9534e6e547aecf1ddc412314612038586b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	file.sfx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1716	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
1956	321d6b3381a565dc5723f27609b7cd9534e6e547aecf1ddc412314612038586b.exe
1956	321d6b3381a565dc5723f27609b7cd9534e6e547aecf1ddc412314612038586b.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
4180	cmd.exe
4180	cmd.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
1716	schtasks.exe
1716	schtasks.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe
3368	file.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3368	file.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3368	file.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 4180	1956	321d6b3381a565dc5723f27609b7cd9534e6e547aecf1ddc412314612038586b.exe	78
PID 1956 wrote to memory of 4180	1956	321d6b3381a565dc5723f27609b7cd9534e6e547aecf1ddc412314612038586b.exe	78
PID 1956 wrote to memory of 4180	1956	321d6b3381a565dc5723f27609b7cd9534e6e547aecf1ddc412314612038586b.exe	78
PID 4180 wrote to memory of 856	4180	cmd.exe	81
PID 4180 wrote to memory of 856	4180	cmd.exe	81
PID 4180 wrote to memory of 856	4180	cmd.exe	81
PID 856 wrote to memory of 3368	856	file.sfx.exe	82
PID 856 wrote to memory of 3368	856	file.sfx.exe	82
PID 856 wrote to memory of 3368	856	file.sfx.exe	82
PID 3368 wrote to memory of 1956	3368	file.exe	77
PID 3368 wrote to memory of 1956	3368	file.exe	77
PID 3368 wrote to memory of 1956	3368	file.exe	77
PID 3368 wrote to memory of 1956	3368	file.exe	77
PID 3368 wrote to memory of 1956	3368	file.exe	77
PID 3368 wrote to memory of 4180	3368	file.exe	78
PID 3368 wrote to memory of 4180	3368	file.exe	78
PID 3368 wrote to memory of 4180	3368	file.exe	78
PID 3368 wrote to memory of 4180	3368	file.exe	78
PID 3368 wrote to memory of 4180	3368	file.exe	78
PID 3368 wrote to memory of 1716	3368	file.exe	83
PID 3368 wrote to memory of 1716	3368	file.exe	83
PID 3368 wrote to memory of 1716	3368	file.exe	83
PID 3368 wrote to memory of 1716	3368	file.exe	83
PID 3368 wrote to memory of 1716	3368	file.exe	83
PID 3368 wrote to memory of 1716	3368	file.exe	83
PID 3368 wrote to memory of 1716	3368	file.exe	83
PID 3368 wrote to memory of 1716	3368	file.exe	83

C:\Users\Admin\AppData\Local\Temp\321d6b3381a565dc5723f27609b7cd9534e6e547aecf1ddc412314612038586b.exe
"C:\Users\Admin\AppData\Local\Temp\321d6b3381a565dc5723f27609b7cd9534e6e547aecf1ddc412314612038586b.exe"
1⤵
- Luminosity
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\fud.bat" "
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4180
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.sfx.exe
    file.sfx.exe -p123 -dC:\Users\Admin\AppData\Local\Temp
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:856
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3368
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc onlogon /tn "flash" /rl highest /tr "'C:\ProgramData\494627\adobe.exe' /startup" /f
        5⤵
        Luminosity
        Creates scheduled task(s)
        Suspicious behavior: EnumeratesProcesses
        
        PID:1716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.sfx.exe

Filesize
421KB

MD5
2ae23c73c42d6ca1edd5079a8f79d201

SHA1
7d05177655dc45ee1d42f71eb74c7b25c673d045

SHA256
abed5db3fa500dac15f4bc593d63c40e1675b07a8495c045c226554d4e3c432d

SHA512
28a36f08af19e82ae15672a538e419dc6e8c4be17827970e9e018e3b201db27c56af29deced3a6881924d522f3083476427ec501a212be16725e0dedefeb0c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.sfx.exe

Filesize
421KB

MD5
2ae23c73c42d6ca1edd5079a8f79d201

SHA1
7d05177655dc45ee1d42f71eb74c7b25c673d045

SHA256
abed5db3fa500dac15f4bc593d63c40e1675b07a8495c045c226554d4e3c432d

SHA512
28a36f08af19e82ae15672a538e419dc6e8c4be17827970e9e018e3b201db27c56af29deced3a6881924d522f3083476427ec501a212be16725e0dedefeb0c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fud.bat

Filesize
27B

MD5
b6bf10ab968bbd2f09a2fc4101270792

SHA1
cf44ad7212810afdaa3b14e372266e98479eb265

SHA256
f1aaf3772de986179160ed31976d1eda0ba756883378a97ab56b17e3c99b5864

SHA512
ebc36b8601f77863eb954ca2a4c5435d45a37a6852146b86be9f5c8803387837313c9724f58d8f2fd8c72dbac992cd0200fdaba71cb25bac225e3c4c92cbf0f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe

Filesize
317KB

MD5
e8287544aae935fee36555cf492f48a7

SHA1
fe3ca2efc08fa5400d409febfcb2f7be745b452f

SHA256
351ab0e5f6f8925cd6adb8ca667d2c12eced771e5e09a7f64981d82a177153d0

SHA512
85f0feb2ee75ad4b1eddbfb38e1ba88187be3a231c0da99486a99143f264ba1ce3c6579ee10f09001f93b1d31d962cfcd41f80ae513a9e09d854d38f4e2e13b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe

Filesize
317KB

MD5
e8287544aae935fee36555cf492f48a7

SHA1
fe3ca2efc08fa5400d409febfcb2f7be745b452f

SHA256
351ab0e5f6f8925cd6adb8ca667d2c12eced771e5e09a7f64981d82a177153d0

SHA512
85f0feb2ee75ad4b1eddbfb38e1ba88187be3a231c0da99486a99143f264ba1ce3c6579ee10f09001f93b1d31d962cfcd41f80ae513a9e09d854d38f4e2e13b6

Download Submit
memory/1716-149-0x0000000001310000-0x0000000001327000-memory.dmp

Filesize
92KB

Download
memory/1716-148-0x0000000001310000-0x0000000001327000-memory.dmp

Filesize
92KB

Download
memory/1716-147-0x0000000001310000-0x0000000001327000-memory.dmp

Filesize
92KB

Download
memory/1956-140-0x0000000002770000-0x0000000002787000-memory.dmp

Filesize
92KB

Download
memory/1956-141-0x0000000002770000-0x0000000002787000-memory.dmp

Filesize
92KB

Download
memory/1956-142-0x0000000002770000-0x0000000002787000-memory.dmp

Filesize
92KB

Download
memory/3368-139-0x00000000736D0000-0x0000000073C81000-memory.dmp

Filesize
5.7MB

Download
memory/3368-138-0x00000000736D0000-0x0000000073C81000-memory.dmp

Filesize
5.7MB

Download
memory/4180-144-0x00000000009D0000-0x00000000009E7000-memory.dmp

Filesize
92KB

Download
memory/4180-145-0x00000000009D0000-0x00000000009E7000-memory.dmp

Filesize
92KB

Download
memory/4180-143-0x00000000009D0000-0x00000000009E7000-memory.dmp

Filesize
92KB

Download